Privacy Pools: A Symmetry of Evil
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4563364
A seemingly good-willed idea guides a protocol towards warped ends:
> *Users should have the freedom to prove their funds are not associated with terrorism.*
Regulatory compliant privacy tools such as Privacy Pools aim to allow users to achieve financial privacy whilst also being able to "demonstrate their funds originate through lawful sources".
This is achieved through
`
> *... proving membership in custom **association sets** that satisfy certain properties, required by regulation or social consensus.*
By hiding your funds among other honest users in a chosen association set, Privacy Pools aim to
> .. be a first step towards a future where people could prove regulatory compliance without having to reveal their entire transaction history
### Freedom-of-Dissociation or Proof-of-Innocence?
In commentary surrounding the proposal, authors reiterate that Privacy Pools allow for ***"freedom of dissociation"*** and are absolutely not ***"proof-of-innocence"***.
But is this distinction really so meaningful?
Privacy pools are presented as an opt-in, free-choice of association:
> "we let the user provide a set of possible origins of their funds, and this set can be as wide or as narrow as they wish."
With a market of different association sets to suit different user preferences!
> "we encourage an ecosystem to form that makes it easier for users to specify association sets that align with their preference"
Authors dismiss "Proof-of-innocence" as just a meme. This is a forced defense, since they realize any protocol that abandons the well established principle of [presumption of innocence](https://en.wikipedia.org/wiki/Presumption_of_innocence) is an instant concession in the fight for privacy.
So instead, privacy pools are marketed as a protocol for free association with *membership proofs*.
**Yet the Privacy pool paper itself acknowledges that there is no real difference between membership proofs and guilt-assumed *exclusion proofs**!
### Onchain Regulation: Enter Troy
Given the systemic surveillance obligations within today's financial system, it seems more than likely that the boundary of what's considered "acceptable" for Privacy Pool membership will encroach far beyond funds related to terrorism.
If Privacy Pools (or another proof-of-innocence protocol) were widespread, cryptocurrency users would likely be compelled into proving relation to association/dissociation sets if they desire to interact with the existing financial system. Such as selling via an exchange.
With Privacy Pools, regulators can claim there is no infringement on user privacy, while simultaneously pushing to outlaw onchain privacy for particular groups:
* Funds only linked to Know Your Customer (KYC) labelled accounts.
* Funds from users that do not engage with "unlicensed securities" or derivatives.
* Funds from users who are known tax payers.
* Funds not linked to purchasing X, or guilty of supporting Y (e.g. political groups/wikileaks/scihub/whatever).
With a widespread Privacy Pool ecosystem, regulated exchanges would easily be pressured into adopting whatever onchain behaviour rulebook the State deemed appropriate at that point in time.
Some use cases suggested by authors:
* A 7 day time block on funds before being able to spend privately
* An $N/month withdrawal limit attached to "either a government-backed national ID system, or a lighter mechanism such as social media account verification" (actual quote)
* "Real-time AI-based scoring" 🪄... lmao
The evil symmetry of Privacy Pools is gift to those wanting to separate what they perceive as `illegal` and `llegal` privacy for cryptocurrency.
>"... Users will subscribe to intermediaries that we can call association set providers (ASPs) ..."
Keep your privacy! *but any transaction that doesn't use our Government Approved Association Set (tm) is now illegal!
## Bilateral Direct Proofs: AML with Cryptographic Larping
Another use-case mentioned in the paper is "Bilateral Direct Proofs" where a user creates an association set containing only themselves, effectively delinking them from the anonymous pool. This is the zero privacy case which acts as a traditional source of funds.
The "advanced option" of this direct proof is a zero knowledge proof that the funds are:
(i) either present in this tiny association set
OR
(ii) this proof was produced by the bank themselves.
Since only the bank knows they did not create the proof themselves, only the bank can verify the source of funds. This is meant to add some privacy if the source-of-funds proofs were to fall into the wrong hands (read: State).
However the realistic scenario is that the government will just ask the fucking bank whether they produced this ZKP, which they will comply "NO", and the Government gains a direct delinkage of funds to any account.
But hey, Zero Knowledge Proofs!! Freedom of association!
## Further Mysteries with Privacy Pools
In terms of the *actual privacy* of Privacy Pools, repeated overlapping participation in different association sets can leak insights which may help deanonymize a user.
The authors just barely acknowledge this:
```
We strongly recommend that at least the Merkle root of the
association set should be published on-chain; this removes the
ability for malicious ASPs to engage in certain types of attacks
against users (e.g., giving different users different association
sets in an attempt to deanonymize them).
```
This makes one question how can there be an "ecosystem" that "makes it easier for users to specify association sets", unless they are expected to be completely segregated.
This privacy loss from overlapping association sets is neither elaborated nor quantified.
## Do Not Concede
Privacy Pool research was motivated by the ongoing persecution of Tornado Cash developers, the authors noting
>The critical issue with Tornado Cash was essentially that legitimate users had limited options to dissociate from the criminal activity the protocol attracted.
Developers being incarcerated for building privacy tools is absolutely alarming, but it is clear that Privacy Pools and regulatory compliant privacy are a serious misplay in the context of historic challenges against privacy and software free speech.
Mechanisms which divide the population into guilty or non-guilty render such a privacy protocol ripe for abuse.
Guilt, suspicion, or guilty association can not be inferred from a person's desire for privacy.
This is a right that must be defended.